LukaDeka/HexName-NixOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: deployed frontend, postgres, rev-proxy, tailscale config, initialisation scripts

Browse source
This commit is contained in:
Luka Dekanozishvili 2026-01-31 14:28:52 +01:00
parent f48059e37e
commit a24fd5bd93
20 changed files with 413 additions and 262 deletions
Download patch file Download diff file Expand all files Collapse all files

53
pkgs/stalwart.nix
View file

@ -2,7 +2,7 @@
let
domain = "hexname.com";
stalwartDomain = "mail.${domain}";
stalwartDomain = "mx.${domain}";
roundcubeDomain = "email.${domain}";
dataDir = "/var/lib/stalwart-mail";
@ -59,22 +59,22 @@ in
principals = [
{
name = "contact-us@${domain}";
email = [ "contact-us@${domain}" "@${domain}" ];
secret = "$6$E8AhTdIdgl2ag6/x$reYvoPByjvkPK/Uwm3/481BBBkuBKQxd3rgSgQw3PawJ4G8TOt0jlIXdOo5xuDv1DQAdn52lUAgx0U9GSVoc7/";
email = [ "contact-us@${domain}" "privacy@${domain}" ];
secret = "$6$iyUwAnKuGTz31jeu$QPfoaUQPccVDWjCWs4PY43dBI6oG4eNb7buNlGBlnNJrvQOePYKyF8RXN8FI5H6y2x191kOa4U8aDD4K/ssKn/";
class = "individual";
}
{
name = "no-reply@${domain}";
email = [ "no-reply@${domain}" ];
secret = "$6$V/u1LImVZAyynuLO$l/mMaLWQ5t0jWz6XWNlHcha8nuTQbjQfES.Nj73mNS0xQjv3vu5z03fLMAt3hxAb5BwE3jgtfmh.PknBjM1M//";
secret = "$6$FpTIF6mjoBRXyZAO$9lqf/u3NyJNHYNutFY0WmPkbfkq8J.SIkhzya3izl7AbCRE72TlyKeGx/OOyPuI1QTMV10NgOEGzL8jboOWhZ1";
class = "individual";
}
];
};
authentication.fallback-admin = {
user = "superdupermegaadmin";
secret = "$6$LPDx0LFqtpAVJO2s$GPR/4Rguhmspy8OLLKI2oZxVgvWrlHRckd6WN2RZNMxkSN9YMiPJ/pfq.XD/VTKsqCu2GCnzerQOv5bivBCph.";
user = "unguessable-username";
secret = "$6$1sRTqTbiXuGNE3zt$oLcXi.kPsy72W5SDMwWSitpJyKlZSKSzhr1QO3DBn6Q9LSE.YpWUbT2Thu5Kbs0bmTMvqAPFI7x/qa1wm9Bj91";
};
email.folders = let
@ -92,28 +92,6 @@ in
trash = mkFolder "Trash";
};
session.rcpt = {
catch-all = true;
script = "'reject-addresses'";
};
sieve.trusted.scripts.reject-addresses.contents = ''
require ["envelope", "reject"];
if anyof (
envelope :is "to" "no-reply@${domain}"
envelope :is "to" "info@${domain}",
envelope :is "to" "contact@${domain}",
envelope :is "to" "support@${domain}"
envelope :is "to" "marketing@${domain}",
envelope :is "to" "sales@${domain}"
) {
reject "403 This address does not accept incoming mails.";
}
redirect "contact-us@${domain}";
'';
# Change the DNS records manually to these addresses to
# keep postmaster free for non-automated emails
# https://github.com/stalwartlabs/mail-server/discussions/877
@ -164,7 +142,7 @@ in
storage.blob = "fs";
# We have DANE and don't want a certificate for each domain
# session.mta-sts.mode = "none";
session.mta-sts.mode = "none";
certificate.default = {
cert = "%{file:${credPath}/cert.pem}%";
@ -249,24 +227,9 @@ in
security.acme.certs.${stalwartDomain} = {
# Keep a stable private key for TLSA records (DANE)
# https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/14
# extraLegoRenewFlags = [ "--reuse-key" ];
extraLegoRenewFlags = [ "--reuse-key" ];
# Restart Stalwart to apply new certificates
reloadServices = [ "stalwart-mail.service" ];
};
# services.restic = {
# backupPrepareCommand = ''
# ${pkgs.coreutils}/bin/install -b -m 700 -d /tmp/stalwart-db-secondary /tmp/stalwart-db-backup
# ${lib.getExe' rocksdb.tools "ldb"} --db=${dataDir}/db --secondary_path=/tmp/stalwart-db-secondary backup --backup_dir=/tmp/stalwart-db-backup
# '';
# backupCleanupCommand = ''
# rm -rf /tmp/stalwart-db-secondary
# rm -rf /tmp/stalwart-db-backup
# '';
# paths = [
# "/tmp/stalwart-db-backup"
# "${dataDir}/blobs"
# ];
# };
}